Computer file system driver control method, program thereof, and program recording medium

ABSTRACT

In the method of controlling a file system driver of an electronic computer and the program for the method and further the storage medium containing the program according to the present invention, access to a file stored in a storage device of the electronic computer is controlled in a kernel mode.  
     When a specific file in a file system of an electronic computer ( 11 ) is accessed from an application program ( 4 ), the access is received in a kernel mode ( 8 ) of an OS ( 3 ). Then, an access control database ( 36 ) comprising filenames in the file system and access methods is referenced to judge whether or not the access to the specific file conforms to conditions prescribed in the access control database ( 36 ). If the access to the specific file does not conform to the conditions, the access is canceled.

TECHNICAL FIELD

The present invention relates to a method of controlling access to afile stored in a storage medium of an electronic computer, and alsorelates to a program for the method and a storage medium containing theprogram. More particularly, the present invention relates to a method ofcontrolling the processing of an access to a file stored in a storagedevice, e.g. a hard disk, of an electronic computer, and also relates toa program for the method and a storage medium containing the program.

BACKGROUND ART

There are various kinds of file systems used in electronic computers. Afile system is controlled and managed by a file system driver of an OS(Operating System) used in an electronic computer. Files downloaded fromInternet and so forth are used after being stored in an auxiliarystorage device, e.g. a hard disk, of the electronic computer. The storedfiles are hardly deleted except as consciously deleted by the user.

(Configuration of Electronic Computer)

An electronic computer comprises many hardware resources such as acentral processing unit (CPU), storage devices (a memory, a hard disk,etc.), input devices (a keyboard, a mouse, etc.), output devices (adisplay, etc.), and peripheral devices (a printer, a scanner, etc.) thatare connected through card slots. These hardware devices operate underthe control of an OS (Operating System) stored in a storage device.

Various application programs used in the electronic computer run underthe OS. The OS controls all the operations of the electronic computerand absorbs differences in specifications of different hardware toprovide an environment common to the application programs. In otherwords, the OS is software that provides basic functions used mutually bymany application programs, e.g. input/output functions such as keyboardentry and screen output, and management of the disk and memory, andcontrols the whole system of the electronic computer. The OS is alsoknown as “basic software”.

The hardware devices of the electronic computer are produced by aplurality of manufacturers, and the specifications thereof may differamong manufacturers. It is desirable for developers of programs usingelectronic computers to develop application programs without noticingthe differences in specifications of the hardware. The OS absorbs thedifferences in specifications of the hardware to provide an environmentcommon to the application programs.

The developers of the application programs can save the time and laborfor development and unify the operability of the application programs bymaking use of the function provided by the OS. An application programdeveloped for a certain OS can basically be used in any electroniccomputer in which the OS can run.

There are a large number of different kinds of OS, represented by MS-DOS(registered trademark), UNIX (registered trademark), Linux, FreeBSD(registered trademark), etc. Among them, the Windows series availablefrom Microsoft is the most popular OS for use by corporations andgeneral home users. Mac OS (registered trademark) available from Appleis widely used in the DTP industry and the multimedia industry. Serversof corporations and scientific institutions often use UNIX-based OS'sdeveloped by various companies and UNIX-based OS's such as Linux andFreeBSD, which are distributed without charge. In recent years, WindowsNT/2000 (registered trademark) available from Microsoft has beenincreasing the share of the market as an OS for servers.

[Conventional Architecture]

FIG. 12 outlines the architecture of Windows NT/2000 (registeredtrademark) as a typical OS. As will be understood from FIG. 12, WindowsNT/2000 has generally a hierarchical structure comprising hardware 2, anOS 3, and an application program 4 that implements a function requestedby the actual user. A microkernel 51 is a program for performing generalmanagement of the OS 3. Various software programs (kernel mode software)that run in layers above the layer of the microkernel 51 constitute akernel mode 8 (see the description given later). The application program4 in the topmost layer runs in a user mode 9 (see the description givenlater).

The OS 3 has a hierarchical structure that, roughly speaking, comprisesan executive 50, a microkernel 51, and a hardware abstraction layer(HAL) 52. The HAL 52 is located in a layer immediately above thehardware 2. The HAL 52 is a program designed to attach importance to thecontrol of hardware. The program absorbs differences in specificationsof various hardware devices such as processors to provide the sameenvironment (independent of models) for services in higher-order layers(the microkernel 51, the executive 50, etc.).

The microkernel 51 provides overall basic functions of the system. Theexecutive 50 is an integrated whole of programs for implementing theprovision of main services from the OS 3 by utilizing service functionsprovided by the microkernel 51 and the HAL 52. The executive 50 includestypical executive programs such as a cache manager 53, an object manager54, a process manager 55, a memory manager 56, and an I/O manager 57.

The object manager 54 is a program for supervising a running object (aprogram for implementing a function to be performed for a certainpurpose) and executing control and adjustment therefor. The processmanager 55 is a program for supervising a process in progress (a programfor performing only a certain function) and making adjustment therefor.The cache manager 53 and the memory manager 56 are programs forcontrolling and adjusting memory and virtual memory. The I/O manager 57is a program for supervising and controlling the input/output functionof the OS 3. The mode in which the electronic computer operates underthe executive 50 is called “kernel mode 8”.

In the kernel mode 8, any instruction for operating the OS 3 isexecutable. If an erroneous instruction is executed, there may be anadverse effect on the whole system. Further, the functions of the OS 3include a user mode 9 that is completely open to the user to run anapplication program, etc. In the user mode 9, instructions for operatingthe OS 3 are limited so that an adverse effect is not exerted on thesystem. Because the system automatically intercepts instructions thatmay have an adverse effect on the system, an environment easy for theuser to use is provided.

However, the provision of such a limitation is the same as limiting thefunctions of the OS 3. Therefore, the application program 4 that runs inthe user mode 9 cannot directly access any part relating to the hardware2 and has to pass through the kernel mode 8 to access the hardware 2.The kernel mode 8 enables full use of the functions of the OS 3 and alsoallows complete access to each input/output device. In addition, aprogram that runs in the kernel mode 8 is processed with priority to aprogram that runs in the user mode 9. Thus, high performance can beobtained.

Device drivers 5 belong to the OS 3. The device drivers 5 are softwareprograms for managing external hardware devices of the electroniccomputer. The device drivers 5 run in the kernel mode 8. Usually, thereis only one device for each device driver 5 that has the same attributesas those of the device driver 5. The application program 4 that runs inthe user mode 9 has to pass through the device drivers 5 to access therespective devices.

For example, in a case where, as shown in FIG. 13, data is transferredfrom a device A to a device B, the flow of the data is as follows:“device A”→“device driver A”→(switching the operating mode from thekernel mode 8 to the user mode 9) “application program 4” (switching theoperating mode from the user mode 9 to the kernel mode 8)→“device driverB”→“device B”. Thus, the system carries out processing while switchingthe operating mode from the kernel mode 8 to the user mode 9 or from theuser mode 9 to the kernel mode 8.

The switching between the user mode 9 and the kernel mode 8 istime-consuming processing. When a large amount of data such as imagedata is transferred, the transfer speed becomes slow, and hence anincreased length of time is required to transfer the data. Accordingly,it is difficult to increase the transfer speed at the application level.The reason for this is that it is necessary to switch between the usermode 9 and the kernel mode 8 for each processing of the applicationprogram 4.

Here, let us explain the conventional operating procedure executed totransfer data between devices. FIG. 13 outlines the relationship betweenthe application program 4 and the device drivers 5 on the one hand andthe operating modes 8 and 9 on the other. As will be understood from thefigure, the application program 4 runs in the user mode 9.

The device drivers 5 are incorporated in the OS 3 to run in the kernelmode 8. Devices 6 constituting the hardware 2 of the electronic computercomprise various internal devices and external devices connected to theelectronic computer. Each device 6 is controlled from a device driver 5specific thereto. In other words, all accesses to the devices 6 are madethrough the respective device drivers 5. The device drivers 5 run inresponse to instructions from the application program 4 through the OS3.

Next, the flow of data transmission will be explained with reference tothe flowchart of FIG. 14. Let us explain the flow of data as transferredfrom the device A to the device B by the application program 4, whichruns in the user mode 9, while comparing the operating modes 8 and 9 ofthe system. First, the application program 4 sends a data transferrequest (instruction) (S50).

At this time, a data transmission request is sent to the device A (S51),and a data reception request is sent to the device B (S52). Theoperating mode of the system is switched from the user mode 9 to thekernel mode 8. The device driver A receives the data transmissionrequest (S53) and transmits it to the device A (S54). The device Areceives the data transmission request (S55) and transmits data (S56).The device driver A receives the transmitted data (S57) and internallyprocesses the data (S58) and then transmits the processed data to theapplication program 4 (S59).

The operating mode of the system is switched from the kernel mode 8 tothe user mode 9. The application program 4 receives and processes thedata (S60 and S61) and transmits the processing result to the devicedriver B (S62). The operating mode of the system is switched from theuser mode 9 to the kernel mode 8 again. The device driver B receives thedata (S63) and internally processes the received data (S64) and thentransmits the processing result to the device B (S65).

The device B receives the data (S66) and sends information indicatingthe receipt of the data to the device driver B (S67). The device driverB receives the data receipt information (S68) and informs theapplication program 4 of the completion of the data transfer (S69). Thesystem is switched to the user mode 9. The application program 4receives the data transfer completion information (S70) and starts thenext processing. Thus, the series of data transfer processing operationsends (S71).

Thus, data is transferred as follows: “device A”→“device driverA”→(switching between the operating modes) “application program 4”(switching between the operating modes)→“device driver B”→“device B”.During the data transfer, the system operates while repeatedly switchingthe operating mode between the kernel mode 8 and the user mode 9. As theamount of data to be handled increases, the number of operating modeswitching operations increases.

Further, when another application program is simultaneously running onthe system, the system switches between the operating modes for thisapplication program. Consequently, the number of times of switchingbetween the operating modes performed in the system becomes large as awhole, causing a delay in the execution processing of the applicationprograms. The increase in the number of times of switching between theoperating modes is likely to cause a reduction in the speed of datatransmission/reception processing. In particular, when there is a strongdemand for real-time execution capability for image processing or thelike, the increase in the number of times of switching between theoperating modes may cause disordering of the image displayed on thescreen.

To ensure the required system performance in the above-described system,it is important to advance the technology for developing and designinghardware devices and the technology for developing the device drivers 5for controlling the pieces of hardware 2. To transfer a large amount ofdata such as image data, in particular, it is desirable to minimize thenumber of times of switching between the user mode 9 and the kernel mode8 to thereby increase the speed of data transfer. When there is a strongdemand for ensuring the integrity of data, it is desirable that datashould be transferred in the kernel mode 8, in which no data can betouched by the user. Particularly, when user authentication is performedby using a password, the integrity of password data, which isconfidential data, is very important.

(Explanation of File System)

A named set of data stored in a storage device is defined as a “file”.When the number of files stored in the storage device increases, it isdemanded that these files should be functionally managed. It is ageneral practice to manage a plurality of files compiled in the form ofa directory. The directory not only stores files but also allows anotherdirectory to be stored therein. Thus, the directory can be formed into anested structure. The directory is likely to become a hierarchicalstructure in the form of a tree structure as a whole. An overallstructure comprising a collection of files is known as a “file system”.

There are various kinds of file systems. Typical examples of filesystems are an FAT file system, an NTFS log-base file system, and anHPFS file system. The access to a file stored in a storage device, e.g.a hard disk, of an electronic computer is controlled by a file systemdriver.

FIG. 15 shows the relationship between the application program 4, an I/Omanager 57, a file system driver 58, a disk driver 59, and a hard disk60. A read request from the application program 4 is sent to a systemservice provided by the I/O manager 57 in the kernel mode 8.

In the case of Windows. NT (hereinafter referred to as “NT”), I/Osubsystems constitute a framework for controlling peripheral devices andproviding an interface with these devices. The I/O subsystems compriseall kernel mode drivers. The I/O manager 57 defines and manages thewhole of the I/O subsystems. The file system driver 58 is a component ofthe I/O subsystems. The file system driver 58 has to conform to aninterface defined by the I/O manager 57.

The file system driver 58 provides the user with a means for storinginformation in an auxiliary storage device, e.g. the hard disk 60, and afunction of retrieving information stored in the auxiliary storagedevice. Further, the file system driver 58 has the function ofperforming creation, revision and deletion of the files stored in theauxiliary storage device and easily and reliably controlling informationtransfer between the files. The file system driver 58 is also providedwith the function of constructing the contents of a file by a methodsuitable for the application program 4.

File attribute data consists of information concerning a file stored inthe auxiliary storage device as to whether the file is a read-only fileor a writable file. File systems used in electronic computers have suchfile attribute data set in detail. The file attribute data includespieces of information such as the date and time of creation of a file,the date and time of updating of the file, the kind and size of thefile, information as to whether or not the file is a read-only file(designatable), and information as to whether or not the file is ahidden file (designatable).

When a file is to be accessed, the file system driver checks the accessmethod by referring to the attributes of the file. In the case of aread-only file, it is not writable. Therefore, the file system driverreturns a notice to the user trying to make write access that the fileis not writable. It has been set that a file can be accessed only by theaccess method determined in the file attributes.

In NT, access right to access a file has been set. For example, in NT, auser logging in when the system is started is classified into a level ora group, for example, as “administrator” or “user 1”. It is possible toset an accessible file and an inaccessible file for each user. It isalso possible to set a file so that it is a read-only file for one userbut writable for another.

It is very difficult when using the conventional file system to limit sothat a user can access a file only a predetermined number of times(access to read, write, open, etc.). It is also difficult to set eachfile so that the file can be accessed only in a predetermined timeperiod or time zone. To make each file accessible only in apredetermined time period or time zone, the attributes of the file needto be changed and rewritten for each time.

It is also difficult to set a file so that when a user (a user of theelectronic computer or an application program) accesses the file apredetermined number of times (access to read, write, open, etc.), thefile is deleted. Thus, it is difficult to control files in response to aspecific access made by the user.

With the above-described technical background, the present invention wasmade to attain the following objects.

An object of the present invention is to provide a method of controllingthe access to a file stored in a storage device of an electroniccomputer in a kernel mode, and also provide a program for the method anda storage medium containing the program.

Another object of the present invention is to provide a method ofobtaining an access log of accesses to a file system of an electroniccomputer in a kernel mode, and also provide a program for the method anda storage medium containing the program.

Still another object of the present invention is to provide a method oftransferring a file containing an access log of accesses to a filesystem of an electronic computer to a network, and also provide aprogram for the method and a storage medium containing the program.

A further object of the present invention is to provide a method whereina file in a file system of an electronic computer is controlled underpredetermined conditions after a specific access has been made to thefile a predetermined number of times, and also provide a program for themethod and a storage medium containing the program.

A still further object of the present invention is to provide a methodof performing personal authentication of a user of an electroniccomputer and controlling the access to the electronic computer from theuser, and also provide a program for the method and a storage mediumcontaining the program.

The method of controlling a file system driver of an electronic computerand the program for the method and further the storage medium containingthe program according to the present invention have the followingadvantages.

In the present invention, access to a file system of an electroniccomputer is performed in a kernel mode that is an operating mode of anOS used in the electronic computer. Therefore, the access can becontrolled without interference with the file system driver. Because theaccess control is effected by using a database specifying access to thefile system, it becomes free to control the access to a file.

In the present invention, the access to the file system is controlled byusing an interface common to an application program and device driversand utilizing the program of the interface driver. Therefore, theconfidentiality of data is protected, and safe transfer of data can beachieved.

In the present invention, an accessible range and access right are setfor each user, and the personal authentication of a user of theelectronic computer is performed. The access to the file system can becontrolled in the kernel mode on the basis of the set accessible range,within which the user can make access, and the set access right. Thus,it is possible to prevent unauthorized access, an unregistered user'saccess, and so forth.

DISCLOSURE OF THE INVENTION

The method of controlling a file system driver of an electronic computeraccording to the present invention is characterized as follows. Accessto a specific file is received in a kernel mode that is an operatingmode in which all instructions of the OS are executable. Then, an accesscontrol database comprising filenames in the file system and accessmethods is referenced to judge whether or not the access to the specificfile conforms to conditions prescribed in the access control database.If the access to the specific file does not conform to the conditions,the access is canceled.

Preferably, if the access conforms to the conditions, the access istransmitted to a file system driver for controlling the file system, anda predetermined change is made to an access method corresponding to thespecific file in the access control database.

Preferably, the access comprises at least one of control operations ofcreating a file, opening a file, closing a file, reading a file, andwriting a file, and has the number of execution of control process.

Preferably, the access is canceled when the number of execution ofcontrol process has become less or more than a preset value.

Preferably, the history of the access is stored as a log file, and thelog file is transferred to another electronic computer connected to theabove-described electronic computer directly or through a network.

Preferably, when the access is made from an input device of theelectronic computer, input data is analyzed, and the function of theinput device is stopped according to the result of the analysis.

Preferably, personal authentication is performed by using eachindividual's data entry characteristics exhibited when entering datafrom the keys of a keyboard, to identify a user. Then, the accesscontrol database is referenced to obtain the conditions indicating anaccessible range within which the user can make access, and the user'saccess is controlled according to the conditions.

Preferably, a control database having the conditions indicating anaccessible range within which the user can make access has previouslybeen stored in a storage device of a server connected to the electroniccomputer through a network. The above-described personal authenticationis performed at the server. The conditions for the user identified bythe personal authentication are obtained by retrieval from the controldatabase. The server transmits an instruction for controlling the user'saccess to the electronic computer. The electronic computer controls theuser's access according to the instruction so as to effect at least oneof the following: access limitation; access cancellation; and systemlock.

The program for controlling a file system driver of an electroniccomputer and the storage medium containing the program according to thepresent invention are characterized as follows.

The program comprises application interface means for receiving theaccess instruction in a kernel mode that is an operating mode in whichall instructions of the OS are executable; flow control means foranalyzing the access instruction and for controlling the flow of data;referencing means for referencing an access control database comprisinga column of filenames in the file system and a column of at least oneaccess method and for outputting a referencing result; data processingmeans for passing information concerning the specific file and theaccess instruction to the referencing means and for receiving thereferencing result relative to the access instruction to make judgment;a file system driver for controlling the file system; and file systemsupervising driver means for receiving and passing the accessinstruction to the file system driver and for receiving a result ofexecution of the access instruction from the file system driver.

Preferably, the specific file and the access method obtained as a resultof analysis made by the flow control means are passed to the dataprocessing means. If the result of the judgment made by the dataprocessing means is “abnormal”, the data processing means cancels theaccess instruction.

Preferably, the specific file and the access method obtained as a resultof analysis made by the flow control means are passed to the dataprocessing means. If the result of the judgment made by the dataprocessing means is “normal”, the data processing means passes theaccess instruction to the file system supervising driver means, and thedata processing means creates an access log.

Preferably, the referencing means enters a change corresponding to theaccess instruction into the access control database.

Preferably, the data processing means makes the above-described judgmentin such a manner that if the value in the column of access method forthe specific file is a predetermined value, the data processing meansoutputs the “abnormal” result.

Preferably, the data processing means outputs an access log of theabove-described access.

It is also preferable to receive and analyze the input data from theinput means and to provide specific data in the input data to theapplication interface means.

Preferably, the input means is a keyboard, and the above-describedstopping of the function is stopping of input data entered from aspecific key of the keyboard.

Preferably, the input means is a mouse, and the stopping of the functionis stopping of specific data entered from the mouse.

Preferably, the storage means of the electronic computer contains apersonal authentication program for performing personal authenticationof a user using the electronic computer. The personal authenticationprogram comprises means for obtaining key entry data entered from keysof a keyboard; first authentication means for performing the personalauthentication using data entry characteristics exhibited when enteringthe key entry data to identify the user; means for obtaining theconditions indicating an accessible range within which the user can makeaccess by referencing the access control database; and control means fortransmitting the conditions to the flow control means to control theuser's access.

Preferably, storage means of a server connected to the electroniccomputer through a network contains a control program and a controldatabase comprising users' personal information and control conditions,and the electronic computer has transmission means for transmitting thekey entry data to the server. Preferably, the control program hasreception means for obtaining transmission data transmitted by thetransmission means; second authentication means for performing thepersonal authentication using data entry characteristics exhibited whenentering the key entry data, which is included in the transmission data,to identify the user; database referencing means for obtaining theconditions indicating an accessible range within which the user can makeaccess by referencing the control database; and control conditiontransmitting means for transmitting the conditions and a controlinstruction to the electronic computer to control the user's access.

Preferably, the method of controlling a file system driver of anelectronic computer and the program for the method and further thestorage medium containing the program according to the present inventionperform personal authentication when the user logs in to the electroniccomputer or perform on-line authentication continuously.

Preferably, the system of the electronic computer is locked or unlockedin response to an instruction from the server. Preferably, when thepower to the electronic computer is turned on after it has been turnedoff with the electronic computer placed in the locked state, theelectronic computer is reset with the operating environment thereofmaintained in the condition immediately before the turning off of thepower.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a conceptual view showing an embodiment of the presentinvention.

FIG. 2 is a flowchart showing the operation of the embodiment of thepresent invention.

FIG. 3 is a block diagram of a common interface driver.

FIG. 4 is a flowchart showing the operation of the system shown in FIG.3.

FIG. 5 is a flowchart showing a data transfer procedure for an accesslog database.

FIG. 6 shows an example of a file attribute database.

FIG. 7 shows an example 1 (a) and an example 2 (b) of a controlcondition database.

FIG. 8 shows an example of the access log database.

FIG. 9 is a conceptual view showing a second embodiment of the presentinvention.

FIG. 10 is a flowchart showing the operation of the second embodiment ofthe present invention.

FIG. 11 is a flowchart showing the operation of the second embodiment ofthe present invention.

FIG. 12 is a diagram showing the architecture of Windows.

FIG. 13 is a conceptual view of a conventional OS and device drivers.

FIG. 14 is a flowchart showing the operating procedure of theconventional device drivers.

FIG. 15 shows the concept of a file system driver.

FIG. 16 is a conceptual view showing a fourth embodiment of the presentinvention.

FIG. 17 is a flowchart showing the operation of the fourth embodiment ofthe present invention.

FIG. 18 is a diagram showing schematically a fifth embodiment of thepresent invention.

FIG. 19 is a diagram showing time intervals for key read operation inthe fifth embodiment.

FIG. 20 is a diagram showing an example of input data in the fifthembodiment.

FIG. 21 is a flowchart showing an example of a program of a learningsection in the fifth embodiment.

FIG. 22 is a flowchart showing an example of a program of an identifyingsection in the fifth embodiment.

FIG. 23 is a diagram showing an example of identification results in thefifth embodiment.

FIG. 24 is a diagram showing an example of a control database.

BEST MODE FOR CARRYING OUT THE INVENTION

Embodiments of the present invention will be described below.

(Concept of Common Interface Driver)

FIG. 1 is a conceptual view showing an embodiment of an interface driverprogram used in an electronic computer according to the presentinvention. FIG. 1 is a conceptual view of an OS using a common interfacedriver. FIG. 2 is a flowchart showing the flow of data and instructionswhen data is transferred.

An electronic computer 1 comprises hardware 2 such as a CPU, memories,and peripheral devices. These pieces of hardware 2 are operated undercontrol of an OS 3 stored in a storage device. An application program 4used by an end user runs in an environment provided by the OS 3. The OS3 includes device drivers 5 for controlling peripheral devices. Thedevice drivers 5 control respective devices 6 according to instructionsfrom the application program 4 to receive data from the devices 6 and totransmit data to the devices 6.

In this embodiment, a common interface driver 7 serves as a windowcommon to the device drivers 5 through which exchange of data betweenthe application program 4 and the device drivers 5 is performedcollectively. It is also possible to control transmission and receptionof data between the devices 6 according to instructions from theapplication program 4. The common interface driver 7 is an interfacebetween the device driver A5 and the device driver B5, which operates ina kernel mode 8.

The devices 6 include a device A and a device B, which are controlled bya device driver A and a device driver B, respectively. The flow of datawhen it is transferred from the device A to the device B is shown in theflowchart of FIG. 2. When the application program 4 that runs in a usermode 9 needs to transfer data from the device A to the device B (S1), itsends a data transfer request (instruction) (S2). At this time, theoperating mode of the system is the user mode 9.

The operating mode of the system is switched to the kernel mode 8. Thecommon interface driver 7 receives the data transfer request from theapplication program 4 (S3). The common interface driver 7 analyzes thedata transfer request (S4) to give instructions to various processingsections. The common interface driver 7 sends a data transmissionrequest to the device driver A (S5). The common interface driver 7 sendsa data reception request to the device driver B (S6).

The device driver A receives the data transmission request from thecommon interface driver 7 (S7) and transmits it to the device A (S8).The device A receives the data transmission request (S9) and transmitsdata to the device driver A (S10). The device driver A receives the data(S11), internally processes it (S12) and transfers the processed data tothe common interface driver 7 (S13). The common interface driver 7receives the data and subjects it to processing, e.g. compression andencryption, (S14) and then transmits the result of the processing to thedevice driver B (S15).

The device driver B receives the data from the common interface driver 7(S16), internally processes it (S17) and transmits the result of theinternal processing to the device B (S18). The device B receives thedata (S19) and sends information indicating the receipt of the data tothe device driver B (S20). The device driver B receives the data receiptinformation (S21) and sends information indicating the completion of thedata transfer to the common interface driver 7 (S22).

The common interface driver 7 receives the data transfer completioninformation (S23), sends the data transfer completion information to theapplication program 4, and waits for a subsequent instruction (S24). Atthis time, the operating mode of the system is switched from the kernelmode 8 to the user mode 9. The application program 4 receives the datatransfer completion information (S25) and starts subsequent processing.

Thus, the series of data transfer operations ends (S26). As statedabove, data is transferred as follows: “device A”→“device driverA”→“common interface driver 7”→“device driver B”→“device B”. During thetransfer of the data, the system operates in the kernel mode 8, and itis unnecessary to switch between the operating modes.

Further, data is transferred between the devices 6 directly in thekernel mode 8 without passing through the application program 4 in theuser mode 9. Accordingly, it becomes possible to transfer a large amountof data at high speed. In addition, because data is transferred in thekernel mode 8, in which no data can be handled directly from theapplication program 4, the integrity of data is enhanced.

When the device B includes various devices such as input devices, e.g. akeyboard and a mouse, the devices have respective device drivers. Thesedevice drivers 5 are connected to the common interface driver 7 inparallel to exchange data with each other or with the applicationprogram 4 through the common interface driver 7.

The common interface driver 7 has functions to execute variousprocessing, including data compression, encryption and decryption. Whenrequested from the application program 4, the common interface driver 7performs high-speed transmission and reception of data between thedevices 6 or between the application program 4 and the devices 6 byusing these functions.

In addition, the common interface driver 7 has a time stamp function toindicate the time of received data, thereby being capable of putting atime stamp on data received from the devices 6 and so forth. By usingthe time stamp function, it is possible to accurately grasp informationconcerning the time of entry of data made from the devices 6.

In particular, when data entry time is important as in the case ofpersonal authentication using the user's data entry characteristics,e.g. those exhibited when entering key entry data, even more accuratetime can be grasped.

First Embodiment of Common Interface Driver

The following is a description of a first embodiment of the file accesscontrol using the common interface driver 7 that runs in the kernel mode8. FIG. 3 shows a mode of controlling access made to a file stored in ahard disk 34 of an electronic computer 11. FIG. 4 is a flowchart showingthe flow of the access control.

To access a file stored in the hard disk 34 from an application program4 running on the electronic computer 11, the application program 4 sendsa request for access to the file through an interface provided by thestandard specifications of Windows. At this time, the applicationprogram 4 exchanges data with the hard disk 34 via the common interfacedriver 7.

The common interface driver 7 comprises an application interface section17, a flow control section 25, a data processing section 19, a TDIclient driver section 20, an access data managing section 30, anencryption/decryption section 31, a file system supervising driversection 32, and so forth. The outline of the function of each section isas follows.

The file system supervising driver section 32 performs transmission andreception of data to and from a file system driver 33 in response to arequest from the flow control section 25 or the data processing section19. The application interface section 17 provides an interface betweenthe application program 4 and the common interface driver 7. Theapplication interface section 17 receives a command such as a fileaccess request from the application program 4 and transmits the resultof the execution of the command or other data received from the flowcontrol section 25 to the application program 4.

The data processing section 19 produces file attribute data and performsinput and output of data to and from the access data managing section30, the encryption/decryption section 31 and the TDI client driversection 20.

The TDI client driver section 20 provides an interface between a networkdriver 21 and the common interface driver 7. The network driver 21comprises a protocol driver 22 and an NDIS (Network Driver InterfaceSpecification) driver 23. The network driver 21 controls a network card16 to establish connection and to control the protocol when data istransmitted to a network 26.

The protocol driver 22 controls the communication protocol when data istransferred to the network 26. The NDIS driver 23 provides an interfacebetween the protocol driver 22 and the network card 16. The TDI clientdriver section 20 receives packeted data from the data processingsection 19 and outputs it to the protocol driver 22.

The flow control section 25 analyzes an instruction or the like from theapplication program 4 received through the application interface section17 and gives instructions to the data-processing section 19, the filesystem supervising driver section 32, etc. to control them.

The access data managing section 30 manages a database 35 containinginformation concerning filed stored in the hard disk 34 or otherauxiliary storage device. That is, the access data managing section 30references the database 35, enters data thereinto, and controls it. Morespecifically, the access data managing section 30 enters or deletes datasuch as an access log of accesses to files, control conditions, and fileattributes in the database 35 and references the data stored therein.

The file system supervising driver section 32 provides an interfacebetween the common interface driver 7 and the file system driver 33 thatprovides access to a file stored in the hard disk 34 or other auxiliarystorage device.

Next, the flow of data through the common interface driver 7 will bedescribed with reference to the flowchart of FIG. 4.

To access a file, the application program 4 outputs a file accessrequest through an interface provided by the standard specifications ofWindows (S100 and S101). The application interface section 17 of thecommon interface driver 7 receives the access request (S102) andtransmits the file access request to the flow control section 25 (S103).

The flow control section 25 receives the file access request (S104),analyzes it (S105), and transmits the result of the analysis to the dataprocessing section 19 (S106). The data processing section 19 receivesthe analysis result (S107), produces file attribute information forreferencing file access information and transmits the file attributeinformation to the access data managing section 30 (S108). The accessdata managing section 30 receives the file attribute information (S109)and references a control condition database 36 and a file attributedatabase 37 in the database 35 (S110).

Then, the flow control section 25 adds a time code to data information(S111). The access data managing section 30 transmits the referencingresult to the data processing section 19 (S112). The data processingsection 19 receives the referencing result (S113) and judges whether ornot the referencing result is “normal” (S114). If the referencing resultis judged to be “normal” (if “Yes” is the answer), the data processingsection 19 transmits the file access request to the file systemsupervising driver section 32 (S115). The file system supervising driversection 32 receives the file access request (S116) and transmits it tothe file system driver 33 (S117). Then, the file system supervisingdriver section 32 waits for a response from the file system driver 33(S118).

The file system driver 33 accesses the hard disk 34 to perform a fileoperation and transmits the result of the access to the file systemsupervising driver section 32. The file system supervising driversection 32 receives the access result (S119) and transmits it to theflow control section 25 (S120).

The flow control section 25 receives the access result (S121) andtransmits it to the application interface section 17 (S122). Theapplication interface section 17 receives the access result (S123) andtransmits it to the application program 4 (S124). The applicationprogram 4 receives the response to the file access request and startsthe subsequent processing (S133).

If the result of the judgment made by the data processing section 19 isnot “normal” (if “No” is the answer at step 114), the data processingsection 19 cancels the access request (S125) and transmits a notice ofcancellation of the access request to the flow control section 25(S126). The data processing section 19 adds the access requestcancellation notice to the data information (S127) and transmits thedata information with the notice to the access data managing section 30as abnormality information (S128).

The flow control section 25 receives the abnormality informationindicating the cancellation of the access request (S129) and transmitsit to the application interface section 17 (S130). The applicationinterface section 17 receives the abnormality information (S131) andtransmits it to the application program 4 (S132). The applicationprogram 4 receives the response to the file access request and startsthe subsequent processing (S133).

(Transfer Flow Concerning Access Log Database 38)

The following is a description of the backup of the database 35 shown inFIG. 5.

The flow control section 25 supervises the amount of data stored in theaccess log database 38. When the amount of data stored in the access logdatabase 38 exceeds a predetermined value, the flow control section 25outputs an instruction for executing a backup operation or fortransferring the data to a server on the network 26. That is, the flowcontrol section 25 outputs an instruction for starting the operation(S150), and checks the amount of data stored in the access log database38 (S151) The flow control section 25 judges whether or not the amountof data stored in the access log database 38 is in excess of apredetermined value (S152). If the amount of data stored in the accesslog database 38 is not in excess of the predetermined value (if “No” isthe answer), the operation is interrupted (S153) and terminated (S163).

If the amount of data stored in the access log database 38 is in excessof the predetermined value (if “Yes” is the answer), the flow controlsection 25 instructs the data processing section 19 to transfer datafrom the access log database 38 (S154). The data processing section 19receives the data transfer instruction (S155) and requests the accessdata managing section 30 to execute data transfer (S156). The accessdata managing section 30 receives the data transfer request (S157),obtains data from the access log database 38 and transfers the data tothe data processing section 19 (S158). The data processing section 19receives the transferred data (S159) and produces transmission data tobe transmitted to the network 26 (S160).

If it is necessary to execute encryption processing for data securityprotection when transmission data to be transmitted to the network 26 isproduced, the data is subjected to encryption processing in theencryption/decryption section 31. The encrypted data is packeted totransmit it to the network 26, thereby producing transmission data(S161). The transmission data is sent to the TDI client driver section20. The TDI client driver section 20 transmits the transmission data tothe network 26 (S162). Thus, a series of operations ends (S163).

(Example of File Attribute Data)

FIG. 6 illustrates an example of the arrangement of the file attributedatabase 37. The file attribute database 37 comprises the columnsrespectively entitled “Filename” 101, “Creation Date” 102, “UpdatingDate” 103, “Access Date” 104, “Hidden File” 105, “Read-Only” 106, “Size”107 and “Access Authorized User” 108. “Filename” 101 is a name of afile, which also includes an extension identifying the type of the file.“Filename” 101 may include a filename with a path.

“Creation Date” 102 is the date at which a file was created. “UpdatingDate” 103 is the date at which the file was last updated. “Access Date”104 is the last date at which the file was accessed. To make a fileinvisible normally, “Yes” is entered in the column of “Hidden File” 105.To make the file visible normally, “No” is entered in the column of“Hidden File” 105. To make a file read-only, “Yes” is entered in thecolumn of “Read-Only” 106. To make the file not read-only, “No” isentered in the column of “Read-Only” 106. The column of “Size” 107expresses the size of a file in terms of bytes. The column of “AccessAuthorized User” 108 shows the attributes of a user who can access thefile.

For example, “open” 109 indicates that the file is accessible by anyone,and “owner” 110 indicates that the file is accessible only by a user whologged in the system as an “owner”. “Administrator” 111 is anadministrator of the system. It is also possible to designate a specificuser (Taro) in combination with a password (pswd01) as shown by“Taro/pswd” 112.

(Example of Control Condition Database)

FIG. 7 illustrates two examples of the arrangement of the controlcondition database 36. In the example shown in Table (a) of FIG. 7, thecontrol condition database 36 comprises the columns respectivelyentitled “Filename” 101, “Create” 113, “Open” 114, “Close” 115, “Read”116 and “Write” 117. “Filename” 101 is a name of a file, which alsoincludes an extension. Preferably, “Filename” 101 also includes the pathof the file. The columns following the column of “Filename” 101, i.e.“Create” 113, “Open” 114, “Close” 115, “Read” 116, and “Write” 117,indicate file access methods, which respectively mean creating, opening,closing, reading, and writing of a file.

It can be predetermined that if “0” has been set in a certain column,access corresponding to the column cannot be made. It can also bepredetermined that if a numeral not less than 1 has been set in acertain column, access corresponding to the column can be made. In thiscase, the set numerical value may be decremented every time the usermakes access. Thus, the set numeral can be rewritten. These operationscan be performed by the data processing section 19 and the access datamanaging section 30. Thus, access can be managed with a counter.

In the case of “C:¥folder1¥filename01.abc”, for example, the value “4”is in the column of “Write” 117. If the value is decremented by 1 everytime write access is made, it is possible to make write access up to 4times. After access has been made 4 times, the value becomes “0”. Hence,it becomes impossible to make write access. The same is the case withthe other columns. With the control condition database 36 arranged asstated above, it becomes possible to perform file access management andcontrol with a counter and hence free to manage and control the accessto a file according to the type and method of the access to the file.

In the second example shown in Table (b) of FIG. 7, the column entitled“User” 118 is additionally provided to perform the above-describedaccess control with a counter for each user. That is, file accesscontrol is performed for each user, for example, “Taro” as shown inTable (b) of FIG. 7. Other columns may be added for file management,such as “Period” 119 indicating the period of time during which the fileconcerned is accessible, and “Time Zone” 120 indicating the time zoneduring which the file concerned is accessible. In the column of “Period”119, the beginning and the end of a period of time are expressed byyear, month and day. In the column of “Time Zone” 120, the beginning andthe end of a time zone are expressed in 24-hour notation. In eithercase, the beginning and the end are separated from each other by themark “:”.

In this case, a certain user 118 can access a file with a registeredfilename 101 only by a predetermined method and only in a registeredspecific time zone 120 within a registered specific period 119. Withrespect to “C:¥folder1¥filename01.abc”, for example, Taro, Hanako, andEveryone can read (the value is not less than 1). However, the time zone120 during which they can access the file is between 9 hours 30 minutesand 17 hours 30 minutes for Taro, between 14 and 17 hours for Hanako,and between 8 and 22 hours for Everyone.

(Example of Access Log Database)

FIG. 8 illustrates an example of the arrangement of the access logdatabase 38 containing an access log of accesses to files. The accesslog database 38 comprises the columns respectively entitled “User” 118,“Filename” 101, “Create” 113, “Open” 114, “Close” 115, “Read” 116,“Write” 117, and “Time Code” 121. “User” 118 is a name of a user whoaccessed the file concerned. “Filename” 101 is a name of a file that auser 118 accessed. It is desirable that “Filename” 101 should beassociated with an extension of the file and a path indicating thelocation where the file has been stored.

The columns of “Create” 113, “Open” 114, “Close” 115, “Read” 116 and“Write” 117 indicate ways in which access was made. The value “1”indicates access that was made to perform a particular file operation.“Time Code” 121 indicates the date and time at which access was made.For example, it will be understood from the access log database 38 that“C:¥folder1¥filename01.abc” was created [the value in “Create” 113 is“1”] at 18 hours 6 minutes 0 second on Dec. 10, 2001 and this file wasopened [the value in “Open” 114 is “1”] at 1 hour, 6 minutes and 30seconds on Jan. 5, 2002. The user 118 at that time was “Taro”.

The access log database 38 is created in the data processing section 19according to instructions from the flow control section 25 and writtenin the database 35 by the access data managing section 30. When theamount of data stored in the access log database 38 exceeds apredetermined value, the data is transferred to a server or anelectronic computer on the network 26 and stored therein. It is alsopossible to store the data in a local auxiliary storage device, e.g. thehard disk 34, for data backup.

Second Embodiment

FIG. 9 is a conceptual view of a second embodiment. The secondembodiment is basically the same as the first embodiment. In thefollowing, only a part of the second embodiment in which it differs fromthe first embodiment will be described. The electronic computer 11 isconnected to a log server 28 through the network 26. The log server 28has a log database 28 to store therein an access log transmitted fromthe electronic computer 11.

In the second embodiment, when an access instruction is issued from theapplication program 4, the data processing section 19 producestransmission data to be transmitted to the network. The transmissiondata is transmitted directly to the log server 28 by the TDI clientdriver section 20. Accordingly, the database 35 comprises the controlcondition database 36 and the file attribute database 37. The accessdata managing section references, changes and updates the controlcondition database 36 and the file attribute database 37.

The data processing section 19 judges whether or not the referencingresult is “normal” at step S114 (see the flowchart of FIG. 4). If thereferencing result is judged to be “normal”, the data processing section19 transmits the access request to the file system supervising driversection 32 (S115) to create an access log and transmits it to the logserver 28 on the network 26. The transmission procedure will bedescribed below with reference to the flowchart of FIG. 10.

If the referencing result is judged to be “normal” (S170), the dataprocessing section 19 creates an access log (S171) and producestransmission data to be transmitted to the network 26 (S172). The dataprocessing section 19 transmits the produced transmission data to theTDI client driver section 20 (S173). The TDI client driver section 20receives the transmission data and transmits it to the network throughthe network driver 21 (S174).

The log server 28 receives the transmission data, takes out the accesslog from the transmission data and adds it to the log database 29 storedin a storage device. Accordingly, accesses made to files stored in thehard disk 34 of the electronic computer 11 can be grasped by referencingthe log database 29.

The structure of the log database 29 is basically the same as that ofthe access log database 38 shown in the first embodiment. Therefore, adescription thereof is omitted. It should be noted, however, that thecontrol condition database 36, the file attribute database 37 and thelog database 29 are merely one example and may differ in structure,depending upon business use application and the feature of the filesystem or the system design feature.

Further, if the electronic computer 11 has input devices such as akeyboard and a mouse, user authentication can be performed by utilizingthe peculiarity of each individual user exhibited when entering datafrom these input devices. Thus, it is possible to construct a system inwhich the user authentication is combined with the second embodiment. Inthis case, it is possible to prevent unauthorized access, particularlyunauthorized access to files in the hard disk, and to perform controlagainst unauthorized access.

Third Embodiment

The third embodiment is similar to the above-described first or secondembodiment. Therefore, a detail description thereof is omitted, and onlya part of the third embodiment in which it differs from the first orsecond embodiment will be described below. In the third embodiment, thedata processing section 19 has the function of issuing an instructionfor deleting a file in the file system. A procedure for deleting a filein the hard disk 34 by using the above-described function will bedescribed with reference to the flowchart of FIG. 11.

After a file in the file system has been accessed, the access datamanaging section 30 updates the control condition database 36 inresponse to an instruction from the data processing section 19 (S180).At this time, the access data managing section 30 confirms the value inthe updated column (S181). If the value is “0”, the access data managingsection 30 informs the data processing section 19 of this fact (S182).Upon receipt of the notice that the value is “0”, the data processingsection 19 outputs a file delete instruction to delete the file forwhich the value is “0” (S183).

The file system supervising driver section 32 receives the file deleteinstruction (S184) and transmits it to the file system driver 33 (S185).Accordingly, the file system driver 33 deletes the file. Thus, it ispossible to delete a file in the file system by setting the value of thefile in the control condition database 36 to a specific value.

As stated above, when the value of the file in the control conditiondatabase 36 changes from “1” to “0”, the data processing section 19outputs a file delete instruction. This means that the file is deletedafter being accessed only once. This technique is applicable to varioussituations. For example, it can be set that a file downloaded from thenetwork disappears after it has been executed only once.

Fourth Embodiment

FIG. 16 is a conceptual view of a fourth embodiment of the presentinvention. The fourth embodiment is similar to the first to thirdembodiments. Therefore, a detailed description thereof is omitted, andonly a part of the fourth embodiment in which it differs from the firstto third embodiments will be described below.

In the fourth embodiment, the common interface driver 7 has thefunctions of limiting input devices of the electronic computer 11, suchas a mouse 27 and a keyboard 15, and limiting and controlling operationstaking place in response to instructions entered from the input devices.These functions are performed by a mouse supervising driver section 39and a keyboard supervising driver section 41 of the common interfacedriver 7.

When the mouse 27 is actuated, input data entered therefrom istransmitted to the mouse supervising driver section 39 by a mouse driver40. When the keyboard 15 is actuated, input data entered therefrom istransmitted to the keyboard supervising driver section 41 by a keyboarddriver 24. Further, the input data is transmitted to the data processingsection 19 or the flow control section 25 from the mouse supervisingdriver section 39 or the keyboard supervising driver section 41.

Input data entered from the input device is sent to the data processingsection 19 from the mouse supervising driver section 39 or the keyboardsupervising driver section 41 and transmitted to the applicationinterface section 17 through the flow control section 25. Then, theinput data is provided to the application program 4 from the applicationinterface section 17.

A user operating the electronic computer 11 may open, copy or print aspecific file. The user can perform these operations by actuating thekeyboard 15, in particular. The system administrator or a particular useapplication may require to disable copying or printing of a specificfile. To meet the requirements, it is necessary to limit data entry fromthe keyboard 15 or other input devices.

The operation of the fourth embodiment is shown in the flowchart of FIG.17. The flowchart will be described below.

The data processing section 19 receives input data from an input device(S200), and analyzes the input data (S201). Then, it is judged whetheror not the input data is data from the keyboard 15 (S202). If it is datafrom the keyboard 15, it is judged whether or not the input data is datafrom an input inhibit key (S204). If it is data from an input inhibitkey, the input data is canceled (S207).

If the input data is not data from an input inhibit key, the input datais transmitted to the flow control section 25 (S208). The flow controlsection 25 receives the input data (S209) and transmits it to theapplication interface section 17 (S210) The application interfacesection 17 receives the input data (S211) and transmits it to theapplication program 4 (S212). Then, the data processing section 19 waitsuntil subsequent input data is entered from an input device (S213). Whenthere is subsequent input data, the processing is repeated from stepS200.

If it is judged at step S202 that the input data is not data from thekeyboard 15 (“No” is the answer), it is judged whether or not the inputdata is data from the mouse 27 (S203) If it is data from the mouse 27,it is checked whether or not the input data is data indicating aninhibited operation from the mouse 27 (S205). If the input data is dataindicating an inhibited operation from the mouse 27, the processproceeds to step S207 (see the above description of S207).

If it is judged that the input data is not data indicating an inhibitedoperation from the mouse 27 (S205), the process proceeds to step S208.If it is judged at step S203 that the input data is not data from themouse 27, the input data is canceled (S206). If the input data iscanceled at step S206 or S207, the data processing section 19 waitsuntil subsequent data is entered (S213).

When receiving input data from an input device, the data processingsection 19 judges from which of input devices the input data has beenentered (S202 and S203). Then, the data processing section 19 extractscontrol conditions corresponding to the input device from which theinput data has been entered, although not shown in the figure.Alternatively, the control conditions corresponding to the input devicemay have previously been set in the data processing section 19 or theflow control section 25.

Alternatively, when there is access to a specific file from theapplication program 4, control conditions corresponding to an inputdevice may be set in the database 35 in association with controlconditions for the specific file. In this case, if there are controlconditions corresponding to an input device when the data processingsection 19 references the database 35, the system enters into anoperating mode for checking input data from an input device.

By doing so, it can be set that when a user opens a certain file, he orshe can only read the file but cannot perform other operations such ascopying, printing or editing of the file.

Fifth Embodiment

FIG. 18 shows the outline of the fifth embodiment. The system in thefifth embodiment comprises at least a client 201 and a server 202. Theclient 201 and the server 202 are connected to each other through anetwork 203 to perform transmission and reception of data. The network203 may be any wired or wireless network, e.g. LAN or Internet, whichallows the client 201 and the server 202 to perform transmission andreception of data.

The client 201 is an electronic computer having at least a keyboard 15and a LAN board 16. The client 201 has a common interface driver 7installed therein. The client 201 further has a database 35 (see FIG.3). The common interface driver 7 has functions similar to those of thecommon interface driver 7 in the first to fourth embodiments. Therefore,the common interface driver 7 will not be herein described in detail.The common interface driver 7 has the function of obtaining data thatthe user enters from the keyboard 15 and transmitting the data to theserver 202. More specifically, the common interface driver 7 obtainsinput data including data for identification of a key that the user hasdepressed or released and time data concerning the depression or releaseof the key, and transmits the input data to the server 202.

The server 202 has a user authentication program 204 installed therein.The server 202 has a user database 205 comprising data indicating dataentry characteristics of users exhibited when they enter data from thekeyboard 15. The user authentication program 204 receives input datatransmitted from the client 201 and analyzes the input data whilecomparing it with the data in the user database 205 to identify theuser.

Further, the server 202 has a control database 211. The control database211 contains data indicating an accessible range within which a user canmake access. For example, the control database 211 may contain controlconditions similar to those stored in the control condition databaseshown in FIG. 7.

The user authentication program 204 identifies the user. A controlprogram 210 references the control database 210 by using the result ofthe user identification to obtain accessible range data concerning theuser and transmits the obtained data to the client 201. The client 201receives the accessible range data and stores it into the controlcondition database 36. Thus, it is possible to control access to thefile system and entry of data from an input device. The operationperformed at the client has been described in derail in the foregoingfirst to fourth embodiments. Therefore, a detailed description thereofis omitted. In the following, the operation at the server 202 willmainly be described.

[Outline of LVQ]

The user authentication program 204 analyzes the input data by using aneural network technique. For example, the user authentication program204 uses a learning vector quantization algorithm (hereinafterabbreviated as “LVQ”). The LVQ is a technique developed by T. Kohonen.There are a plurality of versions LVQ1 to LVQ3.

In the fifth embodiment, LVQ1 is used. Other LVQ algorithms and neuralnetwork algorithms are also usable. LVQ is a publicly known techniquedetailed, for example, in T. Kohonen “Self-Organizing Maps” (SpringerSeries in Information Sciences, 30, 2000; Springer Verlag). Therefore, adetailed description of LVQ is omitted herein.

The LVQ method is as follows. Sample data (hereinafter referred to as“teacher data”) given in the initial state is divided into classescharacterized by a plurality of feature vectors to effect quantization,and the distance between an input vector and each feature vector iscalculated. A feature vector at the closest distance to the input vectoris determined, and the class to which the closest feature vector belongsis judged to be a class to which the input vector belongs.

The LVQ1 is expressed by the following equation, and learning isperformed as follows. A plurality of feature vectors that characterizeclasses have been given in the initial state. Distances between inputteacher data and all the feature vectors are calculated. Thus, the classto which the feature vector at the closest distance to the teacher databelongs can be estimated as the class to which the teacher data belongs.

A specified number of feature vectors are produced for each class andinitialized by using a random number to start learning. The value of therandom number is between the maximum and minimum values of vector datain each class. The feature vectors are updated to perform learningaccording to the following equation 1. The learning is performed apredetermined number of times to obtain an optimal feature vector withrespect to the teacher data.

In the equation 1, m_(i) and m_(j) denote a feature vector at theclosest distance to teacher data x. m_(i) is the feature vector when itbelongs to a class different from that of the teacher data x, and m_(j)is the feature vector when it belongs to the same class as that of theteacher data x. σ(t) is a coefficient that assumes a value of from 0 to1.m _(i)(t+1)=m _(i)(t)−σ(t)[x(t)−m _(i)(t)]m _(j)(t+1)=m _(j)(t)+σ(t)[x(t)−m _(j)(t)]m _(k)(t+1)=m _(k)(t) for k≠i,j  (Eq. 1)[Personal Characteristics]

In the fifth embodiment, data entry characteristics of a user areexpressed by using a time at which the user depresses a specific key anda time at which he or she releases the key. That is, the depress time atwhich the user depresses a key and the release time at which he or shereleases the depressed key are used. Data entry characteristics of auser can be determined by the interrelation between a key that the usertypes and keys typed before and after the key.

FIG. 19 illustrates an example of the user's data entry characteristicsdetermined by the interrelation between keys typed by the user. Kinds oftime as stated below are used as data showing data entry characteristicsof a user. The abscissa axis in the figure is a time base. The downwardlarge arrows each show the time of the operation of depressing a key.Similarly, the upward large arrows each show the time of the operationof releasing a depressed key. Each combination of downward and upwardlarge arrows shows a typing operation in which the user depresses andreleases one key. When the user enters data from the keyboard 15, thecommon Interface driver 7 obtains a key code for identifying each keytyped by the user, the time of depressing the key and the time ofreleasing the key, and transmits these pieces of data to the server 202as input data.

Graph (a) in FIG. 19 shows an example in which the user types keys 1 to3 successively. In the graph, t1, t2 and t3 show the temporalinterrelation between the key 1 and the key 2. That is, t1 is a timeinterval from the time of depressing the key 1 to the time of depressingthe key 2, and t2 is a time interval from the time of releasing the key1 to the time of depressing the key 2. Further, t3 is a time intervalfrom the time of releasing the key 1 to the time of releasing the key 2.

In the graph, t1′, t2′ and t3′ show the temporal interrelation betweenthe key 2 and the key 3 in the same way as in the case of t1, t2 and t3.The time intervals t2 and t2′ can assume minus values according to theinterrelation between the time of releasing the key 1 and the time ofdepressing the key 2 or the interrelation between the time of releasingthe key 2 and the time of depressing the key 3.

Graph (b) in FIG. 19 shows another example in which the user types thekeys 1 to 3 successively. In the graph, t4, t5, t4′, t5′ and t4″ showthe temporal interrelation among the keys 1 to 3. That is, t4 is a timeinterval from the time of depressing the key 1 to the time of releasingthe key 1, and t5 is a time interval from the time of releasing the key1 to the time of depressing the key 2. Further, t4′ is a time intervalfrom the time of depressing the key 2 to the time of releasing the key2, and t5′ is a time interval from the time of releasing the key 2 tothe time of depressing the key 3. Furthermore, t4″ is a time intervalfrom the time of depressing the key 3 to the time of releasing the key3.

The time intervals t5 and t5′ can assume minus values according to theinterrelation between the time of releasing the key 1 and the time ofdepressing the key 2 or the interrelation between the time of releasingthe key 2 and the time of depressing the key 3.

[Processing at Client]

In the sixth embodiment, the client 201 obtains input data at the timeof the user's entering data from the keyboard 15 and transmits the inputdata to the server 202. At the client 201, data concerning keys isobtained by the common interface driver 7 running in the kernel mode.The operation of the common interface driver 7 has already beendescribed in detail in connection with the foregoing first to fifthembodiments. Therefore, a description thereof is omitted herein.

FIG. 19 illustrates an example of input data obtained by the commoninterface driver 7 and transmitted to the server 202. The input datacomprises the following columns: “Number” 210; “Time” 211; “IP” 212,“Key Code” 213; and “Depress/Release” 214. “Number” 210 is the ordinalnumber of key data obtained. “Time” 211 is the time at which key data isobtained. “Time” 211 is expressed in units of 100 nanoseconds of realtime.

“IP” 212 is an address on the network for identifying the client 201.“Key Code” 213 is the code number of each key. “Key Code” 213 may be akey code specified by a country or an international organization.Alternatively, “Key Code” 213 may be a physical code number of akeyboard. “Depress/Release” 214 indicates whether a key has beendepressed or released. In this column, “1” corresponds to depression,and “0” corresponds to release.

The common interface driver 7 obtains key data through the data take-insection 18 and produces input data by adding time data to the key datain the data processing section 19 (see FIG. 3). The input data thusproduced is transmitted to the server 202 by the TDI client driversection 20 through the LAN board driver 21.

[Processing at Server]

The server 202 receives the input data transmitted from the client 201and stores it as an input data file 206 in a storage medium, e.g. a harddisk or a memory. At the server 202, data entered by specific users havebeen obtained in advance to produce a user database 205. The userauthentication program 204 compares the data in the input data file 206with the data in the user database 205 to identify the user.

The user authentication program 204 comprises a learning section 208 andan identifying section 209. The learning section 208 is a program forproducing feature vectors from the user database 205, The identifyingsection 209 is a program for identifying the user by comparing the inputdata with the feature vectors. The function of each section will beshown below in detail.

[Learning Section 208]

In the learning section 208, teacher data is read to obtain featurevectors. Feature data is produced from the read teacher data byobtaining data concerning a key typed by the user, data concerning thetime of depressing and releasing the key, and time data related to keystyped before and after the key, as illustrated in FIG. 19 by way ofexample. The time intervals t1 to t3 or t4 and t5 illustrated in FIG. 19are one example of the feature data. Pieces of feature datacorresponding to all the read teacher data are obtained, and featurevectors showing the characteristic features of all the pieces of featuredata are obtained.

The flowchart of FIG. 21 shows the operating procedure of the learningsection 208. When the user authentication program 204 in the server 202is started, the program of the learning section 208 is executed (S400).Teacher data is read from the user database 205 stored in the server 202(S401). The user database 205 is stored as a file in a text or binaryform, for example. Subsequent teacher data is read until a specifiednumber of pieces of teacher data have been read (S402 S401).

It is judged whether or not the teacher data has been read accurately(S403). If the teacher data has not accurately been read, the program ofthe learning section 208 is forcefully terminated (S404). If the teacherdata has been read accurately, the feature vectors are initialized(S405). In the initialization of the feature vectors, a specified numberof feature vectors are produced and initialized by using random numbers.The random numbers assume a value between the maximum and minimum valuesof the vectors in each class.

Then, learning is started. The number of times of learning isinitialized (L=0) (S406), and LVQ learning is performed a predeterminednumber n of times (S407 to S409). In the LVQ learning, feature vectorsare updated as expressed by Eq. 1. The learning is performed with afixed at 0.1.

After the learning has been performed a predetermined number n of times,the feature vectors updated as the result of learning are written inmemory (S410), and the program of the learning section 208 ends (S411).The feature vectors are outputted in a text or binary form and stored inthe storage device of the server 202.

[Identifying Section 209]

Upon completion of the program of the learning section 208 executed tooutput feature vectors, the program of the identifying section 209 isexecuted. The flowchart of FIG. 22 shows the procedure of the program ofthe identifying section 209. When the program of the identifying section209 is started (S420), the feature vectors outputted by the learningsection 208 are read (S421). Then, input data concerning the user to beauthenticated is read (S422).

The input data has already been transmitted from the client 201 andstored in the server 202 as the input data file 206. Upon completion ofreading the input data, identifying processing is performed (S423). Uponcompletion of the identifying processing, the identification result isoutputted (S424), and subsequent input data is read to performidentification (S425→S422). If there is no subsequent input data or aterminating instruction is received, the program is terminated (S426).

[Identification Result]

The identification result outputted by the program of the identifyingsection 209 is stored as a file in a text or binary form in the storagedevice of the server 202. FIG. 23 shows an example of identificationresults, which are shown in a table consisting of the row of “ReadFiles” 220 and the column of “Identification Results” 221. The row of“Read Files” 220 consists of rows “A”, “B”, . . . , “G”, and the columnof “Identification Results” 221 consists of columns “A”, “B”, . . . ,“G”.

Each row of “Read Files” 220 shows input data, and each column of“Identification Results” 221 shows each feature vector of teacher data.The cell at the intersection between each row and each column shows theproportion (percent) in which input data belongs to the correspondingfeature vector. The program of the identifying section 209 reads “ReadFile A” 222, which is input data, and determines to which feature vectorthis input data belongs, and then outputs the result in percent.

From this table, it is possible to judge who is entering data from thekeyboard of the client 201. Regarding the user of “Read File A” 222, thepossibility that he or she may be a user having “Feature Vector A” 224is “75%”. The possibility that the user of “Read File A” 222 may be auser having “Feature Vector B” 225 is “6%”. Regarding the user of “ReadFile B” 223, the possibility that he or she may be a user having“Feature Vector A” 224 is “0%”. The possibility that the user of “ReadFile B” 223 may be a user having “Feature Vector B” 225 is “100%”.

As will be understood from the above, the results of the identificationvary according to each individual user's data entry characteristics. Fora particular user, the identification result may be “100%”. However, ifthe data entry characteristics of one user are similar to those ofanother, the identification result may be of the order of “70%” to“80%”.

[Control Program]

The server 202 has a control program 210. The control program 210 is forobtaining access right, an accessible range, etc. of a user using theclient 201 from the control database 211 by using the result of the userauthentication performed by the user authentication program 204 and fortransmitting the obtained data to the client 201.

The control program 210 receives the identification result outputtedfrom the identifying section 209 and obtains data concerning the usercorresponding to the identification result from the control database211. The control program 210 transmits the data obtained from thecontrol database 211 to the client 201.

FIG. 24 shows an example of the control database 211. The controldatabase 211 is additionally provided with the column entitled “Client”122 in comparison to the control condition database 36 shown in FIG. 7.The other columns 101 and 113 to 120 entitled in the same way as in thecontrol condition database 36 are concerned with the control of accessto files, which has been described above in connection with the firstembodiment. “Client” 122 indicates the client 201 that a user is using,which is expressed by an identification address on the network.

In the column of “Client” 122 of the control database 211, theidentification address of the client 201 has previously been stored. Inthe column of “User” 118, names of authorized users who can use theclient 201 have previously been stored.

Upon receipt of the identification result from the identifying section209, the control program 210 references the control database 211 tocheck whether or not the user corresponding to the identification resultis an authorized one, and transmits result data to the client 201. Theresult data includes data such as the name of the user, the user'saccessible range, and the right to access a file. If the user using theclient 201 is not an authorized one, the control program 210 transmitsthe result data including an instruction for stopping the operation ofthe user using the client 201 to the client 201.

The client 201 receives the data from the server 202 and updates thecontrol condition database 36. Accordingly, the user using the client201 can be identified at all times, and it is possible to performcontrol according to the way in which the user is using the client 201.If the user is trying to make unauthorized access, the access can bestopped. The control program 210 and the user authentication program 204may constitute the same program in which the programs 210 and 204 run inassociation with each other.

If it is found that the user is trying to make an unauthorized access orif the user cannot be authenticated as the result of the personalauthentication performed at the server 202, the system of the client 201can be locked by an instruction from the server 202. The system can beunlocked by an instruction from the server 202 or by access from thesystem administrator of the client 201. Preferably, when the power tothe client 201 is turned on after it has been turned off with the systemof the client 201 placed in the locked state, the system is reset withthe operating environment thereof maintained in the conditionimmediately before the turning off of the power. In this case, variousparameters concerning the operating environment are stored in a storagedevice of the client 201, e.g. a hard disk or a memory.

FIELD OF INDUSTRIAL APPLICATION

In the present invention, the access to the file system from an inputdevice is controlled in the kernel mode, and an accessible range andaccess right are set for each user. In addition, authentication of auser using the electronic computer is performed, and the access to thefile system is controlled in the kernel mode on the basis of the user'saccessible range and access right. When there is unauthorized access, anunregistered user's access, etc, the system can be locked.Authentication of a user is performed when the user accesses theelectronic computer for the first time, or sequentially when the useruses the electronic computer. Accordingly, it is possible to ensuresecurity even more if the present invention is used by beingincorporated in management systems in fields related to securityprotection, e.g. management systems handling personal data, nationalclassified information, corporate secret data, etc.

1. A method of controlling a file system driver of an electroniccomputer connected with a plurality of devices, including a storagedevice, and operated by an operating system, wherein when access is madefrom an input device of said electronic computer or an applicationprogram to a specific file in a file system of said electronic computer,said access is controlled; said method comprising the steps of:receiving said access in a kernel mode that is an operating mode inwhich all instructions of said operating system are executable;referencing an access control database comprising filenames in said filesystem and an access method to judge whether or not said access to saidspecific file conforms to conditions prescribed in said access controldatabase; and canceling said access if it does not conform to saidconditions.
 2. The method according to claim 1, wherein if said accessconforms to said conditions, said access is transmitted to a file systemdriver for controlling said file system, and said conditionscorresponding to said specific file in said access control database arechanged.
 3. The method according to claim 1 or 2, wherein said accessmethod comprises at least one of control operations of creating a file,opening a file, closing a file, reading a file, and writing a file, andsaid control operations each include a number of execution of controlprocess.
 4. The method according to claim 3, wherein said access iscanceled when said number of execution of control process has becomeless or more than a preset value.
 5. (canceled)
 6. (canceled)
 7. Themethod according to claim 1 or 2, wherein said access is access to saidfile system from a keyboard or a mouse serving as said input device, anda function of said input device is stopped or temporarily suspendedaccording to said conditions.
 8. The method according to claim 1 or 2,wherein personal authentication is performed by using each individual'sdata entry characteristics exhibited when entering data from keys of akeyboard serving as said input device, to identify a user, and saidaccess control database is referenced to obtain said conditionsindicating an accessible range within which said user can make saidaccess, thereby controlling said access made by said user.
 9. The methodaccording to claim 8, wherein said personal authentication is performedat a server connected to said electronic computer through a network; acontrol database having said conditions indicating an accessible rangewithin which the user can make said access has previously been stored ina storage device of said server; said conditions for said useridentified by said personal authentication are obtained by referencingsaid control database; an instruction for controlling said access madeby said user is transmitted to said electronic computer from saidserver; and said electronic computer controls said access made by saiduser according to said instruction so as to effect at least one of thefollowing: access limitation; access cancellation; and system lock. 10.An access control program for controlling a file system driver of anelectronic computer connected with a plurality of devices, including astorage device, and having an operating system for operating saidelectronic computer, wherein when access is made from an input device ofsaid electronic computer or an application program to a specific file ina file system of said electronic computer, said access control programallows said electronic computer to function as a means for controllingan access instruction requesting said access, said access controlprogram comprising: interface means for receiving said accessinstruction in a kernel mode that is an operating mode in which allinstructions of said operating system are executable; flow control meansfor analyzing said access instruction and for controlling a flow ofdata; referencing means for referencing an access control databasecomprising a column of filenames in said file system and a column of atleast one access method and for outputting a referencing result; dataprocessing means for passing information concerning said specific fileand said access instruction to said referencing means and for receivingsaid referencing result relative to said access instruction to makejudgment; a file system driver for controlling said file system; andfile system supervising driver means for receiving and passing saidaccess instruction to said file system driver and for receiving a resultof execution of said access instruction from said file system driver.11. The access control program according to claim 10, wherein saidspecific file and said access method obtained as a result of analysismade by said flow control means are passed to said data processingmeans, and if a result of said judgment made by said data processingmeans is “abnormal”, said data processing means cancels said accessinstruction.
 12. The access control program according to claim 10,wherein said specific file and said access method obtained as a resultof analysis made by said flow control means are passed to said dataprocessing means, and if a result of said judgment made by said dataprocessing means is “normal”, said data processing means passes saidaccess instruction to said file system supervising driver means, andsaid referencing means makes a change corresponding to said accessinstruction to said access control database.
 13. (canceled)
 14. Theaccess control program according to claim 11, wherein if a value in saidcolumn of access method for said specific file is a predetermined value,said judgment made by said data processing means produces said“abnormal” result.
 15. The access control program according to claim 14,wherein said column of access method comprises at least one of columnsof creating a file, opening a file, closing a file, reading a file,writing a file, file accessible period, and file accessible time zone,and a value in said column comprises at least one selected from aninteger, a symbol, and a word.
 16. (canceled)
 17. (canceled)
 18. Theaccess control program according to claim 10, further comprising: inputmeans for receiving input data entered from said input device; whereinsaid data processing means has a function to stop all or a part offunctions of said input device, and said data processing means receivesand analyzes said input data from said input means, and providesspecific data in said input data to said interface means.
 19. (canceled)20. The access control program according to claim 18, wherein said inputmeans is a keyboard, and stopping of said function is stopping of inputdata entered from a specific key of said keyboard.
 21. The accesscontrol program according to claim 18, wherein said input means is amouse, and stopping of said function is stopping of specific dataentered from said mouse.
 22. The access control program according toclaim 10, wherein storage means of said electronic computer contains apersonal authentication program for performing personal authenticationof a user using said electronic computer, said personal authenticationprogram comprising: means for obtaining key entry data comprisingsignals entered from keys of a keyboard serving as said input device;first authentication means for performing said personal authenticationusing data entry characteristics exhibited when entering said key entrydata to identify said user; means for obtaining said conditionsindicating an accessible range within which said user can make access byreferencing said access control database; and control means fortransmitting said conditions to said flow control means to control saidaccess made by said user.
 23. The access control program according toclaim 22, wherein storage means of a server connected to said electroniccomputer through a network contains a control program and a controldatabase comprising users' personal information and control conditions,and said electronic computer has transmission means for transmittingsaid key entry data to said server, said control program having:reception means for obtaining transmission data transmitted by saidtransmission means; second authentication means for performing saidpersonal authentication using data entry characteristics exhibited whenentering said key entry data, which is included in said transmissiondata, to identify said user; database referencing means for obtainingsaid conditions indicating an accessible range within which said usercan make access by referencing said control database; and controlcondition transmitting means for transmitting said conditions and acontrol instruction to said electronic computer to control said user'saccess.
 24. A storage medium containing an access control program forcontrolling a file system driver of an electronic computer connectedwith a plurality of devices, including a storage device, and having anoperating system for operating said electronic computer, wherein whenaccess is made from an input device of said electronic computer or anapplication program to a specific file in a file system of saidelectronic computer, said access control program allows said electroniccomputer to function as a means for controlling a requested accessinstruction, said access control program comprising: applicationinterface means for receiving said access instruction in a kernel modethat is an operating mode in which all instructions of said operatingsystem are executable; flow control means for analyzing said accessinstruction and for controlling a flow of data; referencing means forreferencing an access control database comprising a column of filenamesin said file system and a column of at least one access method and foroutputting a referencing result; data processing means for passinginformation concerning said specific file and said access instruction tosaid referencing means and for receiving said referencing resultrelative to said access instruction to make judgment; a file systemdriver for controlling said file system; and file system supervisingdriver means for receiving and passing said access instruction to saidfile system driver and for receiving a result of execution of saidaccess instruction from said file system driver.
 25. The storage mediumaccording to claim 24, wherein said specific file and said access methodobtained as a result of analysis made by said flow control means arepassed to said data processing means, and if a result of said judgmentmade by said data processing means is “abnormal”, said data processingmeans cancels said access instruction.
 26. The storage medium accordingto claim 24, wherein said specific file and said access method obtainedas a result of analysis made by said flow control means are passed tosaid data processing means, and if a result of said judgment made bysaid data processing means is “normal”, said data processing meanspasses said access instruction to said file system supervising drivermeans, and said referencing means writes a change corresponding to saidaccess instruction into said access control database.
 27. (canceled) 28.The storage medium according to claim 25, wherein if a value in saidcolumn of access method for said specific file is a predetermined value,said judgment made by said data processing means produces said“abnormal” result.
 29. The storage medium according to claim 28, whereinsaid column of access method comprises at least one of columns ofcreating a file, opening a file, closing a file, reading a file, writinga file, file accessible period, and file accessible time zone, and avalue in said column comprises at least one selected from an integer, asymbol, and a word.
 30. (canceled)
 31. (canceled)
 32. The storage mediumaccording to claim 24, wherein said access control program furthercomprises: input means for receiving input data entered from said inputdevice of said electronic computer; wherein said data processing meanshas a function to stop all or a part of functions of said input device,and said data processing means receives and analyzes said input datafrom said input means, and provides specific data in said input data tosaid application interface means.
 33. (canceled)
 34. The storage mediumaccording to claim 32, wherein said input means is a keyboard, andstopping of said function is stopping of input data entered from aspecific key of said keyboard.
 35. The storage medium according to claim32, wherein said input means is a mouse, and stopping of said functionis stopping of specific data entered from said mouse.
 36. The storagemedium according to claim 24, wherein storage means of said electroniccomputer contains a personal authentication program for performingpersonal authentication of a user using said electronic computer, saidpersonal authentication program comprising: means for obtaining keyentry data entered from keys of a keyboard serving as said input device;first authentication means for performing said personal authenticationusing data entry characteristics exhibited when entering said key entrydata to identify said user; means for obtaining said conditionsindicating an accessible range within which said user can make saidaccess by referencing said access control database; and control meansfor transmitting said conditions to said flow control means to controlsaid access made by said user.
 37. The storage medium according to claim36, wherein storage means of a server connected to said electroniccomputer through a network contains a control program and a controldatabase comprising users' personal information and control conditions,and said electronic computer has transmission means for transmittingsaid key entry data to said server, said control program having:reception means for obtaining transmission data transmitted by saidtransmission means; second authentication means for performing saidpersonal authentication using data entry characteristics exhibited whenentering said key entry data, which is included in said transmissiondata, to identify said user; database referencing means for obtainingsaid conditions indicating an accessible range within which said usercan make access by referencing said control database; and controlcondition transmitting means for transmitting said conditions and acontrol instruction to said electronic computer to control said user'saccess.